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Abstract. Every graph has a canonical finite abelian group attached to it. This 
group has appeared in the literature under a variety of names including the sandpile 
group, critical group, Jacobian group, and Picard group. The construction of this 
group closely mirrors the construction of the Jacobian variety of an algebraic curve. 
Motivated by this analogy it was recently suggested by Norman Biggs that the crit- 
ical group of a finite graph is a good candidate for doing discrete logarithm based 
cryptography. In this paper, we study a bilinear pairing on this group and show how 
to compute it. Then we use this pairing to find the discrete logarithm efficiently, 
thus showing that the associated cryptographic schemes are not secure. Our approach 
resembles the MOV attack on elliptic curves. 



1. Introduction 

1.1. Overview. Every graph has a canonical finite abelian group whose order is the 
number of spanning trees of the graph. This group has appeared in the literature under 
many different names; in theoretical physics it was first introduced as the "abelian 
sandpile group" or "abelian avalanche group" in the context of self-organized critical 
phenomena ( [31 [161 [19] ) . I n arithmetic geometry, this group appeared as the "group of 
components" in the study of degenerating algebraic curves ((20])- In algebraic graph 
theory this group appeared under the name "Jacobian group" or "Picard group" in 
the study of flows and cuts in graphs (|2J). The study of a certain chip-firing game on 
graphs led to the definition of this group under the name "critical group" ([El E]). 

The construction of this group closely mirrors the construction of the Jacobian variety 
of an algebraic curve. Motivated by this analogy, Norman Biggs in [10] suggests that 
the Jacobian of a finite graph (which he calls the "critical group") might be suitable 
for discrete logarithm based cryptography. 

In this paper, we study the discrete logarithm problem on the Jacobian of finite 
graphs. Our main result is an algorithm to efficiently compute discrete logarithms on 
these groups. Therefore, unlike elliptic curves and Jacobian varieties, one can not use 
the Jacobian of finite graphs for cryptographic purposes. It is an intriguing problem 
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whether the fact that discrete logarithm can be done efficiently might have any algorith- 
mic applications. Our algorithm uses a bilinear pairing, which we call the monodromy 
pairing, on this group. This approach is similar to the MOV attack on elliptic curves. 
For our application, we study the monodromy pairing and show how to compute it. 

1.2. Related work. The order of the Jacobian group is the number of spanning trees 
of the graph ([8j). Hence, the order of the group can be computed by the famous 
matrix-tree formula of Kirchhoff. 

Finite graphs and algebraic curves behave similarly in many respects. Recently, there 
have been an increasing number of papers pursuing this analogy. Some relationship 
between elliptic curves and chip-firing games on graphs is noticed in [23]. In [51 [3] a 
version of the famous Riemann-Roch theorem is proved for finite graphs, a discrete 
analogue of holomorphic maps between Riemann surfaces is introduced, and a graph- 
theoretic Riemann-Hurwitz formula is proved. A Torelli's theorem for graphs is proved 
in [H HI] • The relationship between graph theory and algebraic geometry goes beyond 
a simple analogy. For example, Mikhalkin and Zharkov in |23j prove that an (abstract) 
"tropical curve" is simply a connected "metric graph" . 

1.3. Previous work. Norman Biggs in [10] constructs a family of graphs with cyclic 
Jacobian groups, to be potentially used for cryptography. The problem of finding fami- 
lies of graphs with cyclic Jacobian groups is subsequently studied in [211 EEl [23] • These 
provide examples of cyclic Jacobian groups with appropriate order, so that discrete 
logarithm problem cannot be solved by the known purely group theoretic methods. 

After completion of our work, we discovered a preprint by Blackburn ([11]) in which 
the discrete logarithm problem is addressed for the particular family of graphs con- 
structed by Biggs in [TU]. It is fairly clear that methods presented in [FT], with some 
minor modifications, can also be applied to the general case. Our method is quite dif- 
ferent from Blackburn's method, and our algorithm in §|3]also works for any graph with 
a cyclic Jacobian group. 

To our knowledge, the monodromy pairing was first introduced by Bosch and Loren- 
zini in [13] . We have not found an easy-to-compute formula, like (I3.9p . in the literature. 

The paper proceeds as follows. In £[2] we provide the relevant definitions. The mon- 
odromy pairing is studied in §|3J Using the monodromy pairing, we give our discrete 
logarithm algorithm in §31 Further remarks and results are outlined in §51 Appendix [A] 
contains a new proof of Theorem 13.51 

2. Definitions 

2.1. Notation and Terminology. Throughout this paper, a graph means a finite, 
unweighted multigraph with no loops. All graphs are assumed to be connected. For 
a graph G, the set of vertices is denoted by V(G), and the set of edges is denoted 
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by E(G). Throughout this paper, n and m denote the number of vertices and edges, 
respectively. 

Let {vi, . . . , v n } be an ordering of V(G). With respect to this ordering, the Laplacian 
matrix Q associated to G is the nxn matrix Q = (%), where g„ is the degree of vertex 
Vi, and —qij (i ^ j) is the number of edges connecting Vi and Vj. It is well-known (and 
easy to verify) that Q is symmetric, has rank n — 1, and the kernel of Q is spanned by 
1, the all-one vectoio (see, e.g., ff\ IT2]). 

2.2. The Jacobian of a finite graph. Let Div(G) be the free abelian group generated 
by V(G). One can think of elements of Div(G) as formal integer linear combination of 
vertices 

Div(G) = { a v( v ) ■ a v EZ} . 
vev(G) 

By analogy with the algebraic curve case, elements of Div(G) are called divisors on G. 
For a divisor D, the coefficient a v of (v) in D is denoted by D{v). 

We define by M.(G) = Hom(l/(G),Z) the abelian group consisting of all integer- 
valued functions on the vertices. One can think of M.(G) as analogous to the group 
A4(X) X of nonzero meromorphic functions on an algebraic curve X. 

For / G A4(G), div(/) G Div(G) is given by the formula 

div(/) = or( W)M . 

vev(G) 

where 

ord,(/)= 

{v,w}£E(G) 

Consider the group homomorphism deg : Div(G) — > Z defined by deg(D) = J2 v ev(G) ^( v )- 
Denote by Div°(G) the kernel of this homomorphism, consisting of divisors of degree 
zero. Define Prin(G) = {div(/) G Div(G) : / G Ai(G)} to be the group of principal 
divisors. 

Lemma 2.1. Prin(G) C Div (G), and both Prin(G) and Div°(G) are free TL-modules 
of rank n — 1 . 

A proof is given in [8]. As a corollary, the quotient group 

Jac(G) = Div°(GO/Prin(G) 

is well-defined and is a finite abelian group. Following [2], it is called the Jacobian or 
the Picard^ group of G. 

Lemma 2.2. (^ISJj The order of the group Jac(G) is equal to the number of spanning 
trees in G, which we denote by k(G). 

Remember that G has no loops. 

2 Another appropriate notation is Pic°(G). 
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Following [5], for D\, D 2 G Div(G), we say that Di is equivalent to D 2 , and write 
D\ ~ D 2 , if -Di — D2 is a principal divisor. 

3. A BILINEAR PAIRING ON THE JACOBIAN OF FINITE GRAPHS 

3.1. Generalized inverses. A matrix can have an inverse only if it is square and its 
columns (or rows) are linearly independent. But one can still get "partial inverse" of 
any matrix. 

Definition. Let A be a matrix (not necessarily square). Any matrix L satisfying 
ALA = A is called a generalized inverse of A. 

It is somehow surprising that for every matrix A there exists at least one generalized 
inverse. In fact, more is true; every matrix has a unique Moore-Penrose pseudoinvers^. 

Let Q be the Laplacian matrix of a connected graph. Since its rank is n — 1, it cannot 
have an inverse. But there are many ways to obtain generalized inverses: 

Example 3.1. Fix an integer 1 < i < n. Let Qi be the (n — 1) x (n — 1) matrix 
obtained from Q by deleting i th row and i th column. Then Qi is a full rank matrix and 
has an inverse . Let Lu\ be the nx n matrix obtained from by inserting a zero 
row after the (i — l) th row and inserting a zero column after the (i — l) th column. Then 
L(j) is a generalized inverse of Q. One can check that 

QL(i) = I + , 

where I is the identity matrix, and has —1 entries in the i th row and is zero 
everywhere else. As R(i)Q = 0, we get QL^Q = Q. 

Example 3.2. Let J be the nxn all-one matrix. Then Q + ^ J is nonsingular and Q + = 
(Q + ^ J)' 1 — - J is a generalized inverse of Q. In fact it is the unique Moore-Penrose 
pseudoinverse of Q; it is easy to check QQ + = Q + Q = I — - J and Q + QQ + = Q + . 

These examples show that computing a generalized inverse L takes time at most 
O(n^), where u is the exponent for matrix multiplication. 

3.2. The monodromy pairing. A kind of graph-theoretic analogue of Weil pairing 
on the (principally polarized) Jacobian of an algebraic curve is provided by a certain 
bilinear pairing on Jac(G), which we define in this sectionB 

For Di, D2 in Div°(G), let mi and m2 be integers such that m\D\ = div(/i) and 
m 2 D 2 = div(/ 2 ) are principal; these exist because Jac(G) is a finite group. One can 
easily show that 

(3.3) — D Mh{v) = — h{v)D 2 {v) . 

m,2 mi z — ' 

v&V{G) v€V(G) 

3 The Moore-Penrose pseudoinverse of A is a generalized inverse of A with three extra properties; 
see [B] for an extensive study of the subject. 

4 The monodromy pairing is symmetric, while the Weil pairing is skew-symmetric. 
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The pairing (-,•): Div°(G) x Div°(G) -> Q defined by 
(3.4) (D ll D 3 ) = -±- D ^ V )M 

v€V(G) 

is symmetric and bilinear. This pairing descends to a well-defined pairing on Jac(G). 
We use the notation D for an element of Jac(G), if D is a lift of that element in Div°(G). 

Theorem 3.5. The pairing (■,■)'■ Jac(G) x Jac(G) — > Q/Z defined by 

(3.6) (D 1 ,D 2 ) = — Y) D 1 (v)f 2 (v) (modZ), 

mo z — ' 

vev(G) 

where rri2D2 = div(/2), a well-defined, symmetric, bilinear, non- degenerate pairing 
on Jac(G). 

This theorem, in a slightly different language, is proved in [13]. We give a more 
elementary proof in Appendix [A] 

Definition. We call the pairing described in Theorem 13.51 the monodromy pairing (see 
remark 1 in $5] for this terminology) . 

Remark 3.7. Let $ be a finitely generated abelian group. A symmetric bilinear pairing 
(-,-): $ x $ — > Q/Z is called non- degenerate (or regular) if the group homomorphism 
$ — > Homz($,Q/Z) defined by 1 ^ (a;, •) is injective. If it is an isomorphism, it is 
called perfect (or unimodular). If a pairing on a finitely generated abelian group is 
non-degenerate, then it is automatically perfect!! (see [H]). For a finite abelian group 
$, this fact is immediate; there exists a (non-canonical) isomorphism between $ and 
its Pontryagin dual Homz($, Q/Z) (see p. 167 of [ 1 TJ ) . 

Let {f 1, . . . , v n } be an ordering of V(G). Let Q be the Laplacian matrix with respect 
to this ordering. This ordering gives an isomorphism between abelian groups Div(G), 
A4(G), and the Z-module of n x 1 column vectors having integer coordinates. Let [D] 
denote the column vector corresponding to D e Div(G), and [/] denote the column 
vector corresponding to f E A4(G). 

The given definition of the monodromy pairing in (13. 6p is canonical. However, the 
following proposition simplifies the proof of Theorem 13.51 Moreover, it shows how one 
can compute the monodromy pairing in practice. 

Proposition 3.8. Let L be any generalized inverse of the Laplacian matrix Q. Then 
the monodromy pairing is given by 

(3.9) (^1,^2) = [DrfLiDo] (mod Z) . 



'Moreover, the group is torsion in this situation. 
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Proof. By definition mj = [div(/j)] = Q[fi] for i — 1,2. Result follows from the 
following computations. All equalities are mod Z 



We emphasize that any generalized inverse of the Laplacian matrix can be used in 



4. Discrete Logarithm Problem on the Jacobian of a finite graph 

Let (<&, +) be a cyclic group. The Discrete Logarithm Problem (DLP) can be stated 
as: 

Given g, h G $ with x ■ g = h for some integer x, compute x mod ord(g). 

In this section we use the monodromy pairing to solve the DLP for the Jacobian of 
a finite graph G when Jac(G) is cyclic. 

In our context, we assume the elements of Jac(G) are presented by some (arbitrary) 
lifts in Div°(G). Also, we assume^ a generator g of the cyclic group Jac(G) is known. 
We can compute and save a generalized inverse L of Q as outlined in §3.11 

Algorithm. (DLP on Jac(G)) 

Input: D,D' e Div°(G) such that D 7 = x ■ D in Jac(G) 
Output: x mod ord(D), the order of D E Jac(G). 

(1) Compute (D, g) = r + Z and (D', g) = r' + Z using formula ( 13.91) 

(2) Solve the Diophantine equation r' = rx + y (for variables x, y E Z) by clearing 
the denominators of r and r' and using the extended Euclidean algorithm, to 
get x mod ord(D). 

6 There are several efficient methods to find a generator; we omit the details here. 




veV(G) 




□ 



(PES). 
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Analysis of the algorithm. Since the monodromy pairing is bilinear, we have 
(D', g) = x(D, g) , or r' — rx in Q/Z. We still need to prove that solving the Diophan- 
tine equation precisely gives x modulo the order of D in Jac(G). 

Lemma 4.1. Let g be a generator of the cyclic group Jac(G). Let h be any element of 
Jac(G). // (h, g) = | + Z (a, b £ Z ; gcd(a, b) — 1) then b is precisely the order ofh in 
Jac(G). 

Proof. Let 7 be the order of h in Jac(G). By bilinearity of the monodromy pairing, 
^ + Z = 7(h, g) = (7 • h, g) = (0, g) = Z, and therefore &I7. 

On the other hand, (b ■ h, g) = b(h, g) = a + Z = Z. Since Jac(G) is cyclic and the 
monodromy pairing is bilinear, all elements of Jac(G) must pair trivially with b ■ h. By 
non-degeneracy of the monodromy pairing we get b-h — 0, which means 7I&. Therefore 
7 = 6. □ 

Now we can show that the algorithm precisely gives x mod the order of D in Jac(G); 
since D' = xD, order of D' divides the order of D. By Lemma [4.1[ for r = f (a, b £ Z, 
gcd(a, b) = 1), b is the order D in Jac(G). Multiplying by b clears the denominators in 
r' = rx + y, and we get ax + by = c, for some integer c. It is an elementary fact that 
the linear Diophantine equation ax + by = c (with gcd(a, b) = 1) has solution, and x is 
determined mod b. 

Both steps (1) and (2) can be done in time at most 0(n 2 ). □ 

Remark 4.2 (DLP on the Critical group of finite graphs). Fix a vertex q. In [TU] 
each element of the Jacobian group is presented by a canonical (relative to the base 
vertex q) lift in Div°(G), which is called the critical configuration (based at q), and is 
defined by a certain chip-firing game on the graph. It is known that in each equivalence 
class of divisors there is a unique such critical configuration, q-reduced divisors (or G- 
parking functions based at q) provide another set of canonical elements for equivalence 
classes (see, e.g., [27] and references therein). Hence, the group law on the Jac(G) = 
Div°(G9/Prin(G) induces a group law on the set of g-critical configurations, or the 
set of g-reduced divisor^. Biggs Q9J) calls the former set with the induced group law 
the critical group K(G) of the graph, and suggests in [10J that the DLP is hard on 
the critical group. We note that the algorithm given in this paper works for any lift 
of elements of Jac(G) to Div°(G), and therefore it also solves the DLP on the critical 
group, as well as the "reduced divisors group" . Some related algorithmic questions are 
studied in [27] and $E\. 

5. Concluding remarks 
We conclude with some remarks. 



In particular, cardinality of these sets are equal to the number of spanning trees. 
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1. The pairing described in Theorem 13. 51 is called the monodromy or Grothendieck's 
pairing for the following reason. If K is the field of fractions of a strictly 
henselian discrete valuation ring R, then a theorem of Raynaud [26] asserts that 
the component group $j of the Neron model of the Jacobian J of a semistable 
curve X/K is isomorphic to the Jacobian of the dual graph G of the special 
fiber of any semistable regular model for X over R. Under the isomorphism 
provided by Raynaud's theorem, the pairing on Jac(G) which we described in 
§3.21 corresponds to Grothendieck's monodromy pairing on $j (see |13j). 

2. By Abel's theorem for graphs (see [2]), there is a canonical isomorphism 

Div°(G)/Prin(G) = H X {G, Z)*/H 1 {G,Z) 

where H 1 (G, Z) # denotes the dual of the cycle lattice Hi(G, Z) with respect to 
the standard inner product on the 1-chain group C\(G, Z). It can be shown that 
under this canonical isomorphism, the monodromy pairing on Div°(G)/ Prin(G) 
corresponds to the negative of the discriminant forn$ on H\{G, Z)*/if 1 (G, Z). 
This and some relevant results will appear in a in a subsequent paper by the 
author. 

3. Our approach to solve the DLP on the Jacobian of finite graphs resembles the 
MOV attack of Menezes, Okamoto, and Vanstone [22] for the DLP on elliptic 
curves. However, because the target group of the monodromy pairing is Q/Z 
(instead^ of ¥ q a ) , and because of Lemma H~Tj we get a deterministic polynomial- 
time solution for cyclic Jacobian (instead of a probabilistic polynomial-time 
reduction to the DLP in the group F* a ). 

4. If Jac(G) is not cyclic, then one can still use the monodromy pairing, and 
solve the DLP efficiently The idea is very similar to the MOV attack for el- 
liptic curves; one can compute enough congruences for x to eventually find x 
mod ord(.D). We omit the details here. 

5. We have found at least two other methods of solving the DLP in this context. 
One method is essentially applying the independent work of Blackburn (|llj) 
to arbitrary graphs. In our judgment, the solution presented in this paper is 
particularly nice, and there is no need to present the other approaches. 

6. It is worth investigating how the given solution to the DLP for the Jacobian of 
finite graphs can relate to the DLP for the Jacobian of algebraic curves. 

7. It is an intriguing problem whether the fact that discrete logarithm can be 
done efficiently might have any algorithmic applications. Also the fact that 



If A is an integral lattice (i.e., a free Z-module of finite rank endowed with a non-degenerate Z- 
valued symmetric bilinear form), then the dual lattice A# contains A as a finite index subgroup, and 
the quotient group A#/A (called the discriminant group of the lattice) inherits in a natural way a 
non-degenerate Q/Z-valued symmetric bilinear form, called the discriminant form (see |25j for more 
details). 

9 We also note that the monodromy pairing is symmetric, while the Weil pairing is skew-symmetric. 
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the Jacobian group is actually a bilinear group with an efficiently computable 
pairing might have other algorithmic applications. 



Appendix A. Proof of Theorem 13.51 

Here we outline an elementary proof of Theorem 13.51 We choose an ordering of V(G) 
and use the formula (13. 9p . 
Pairing is bilinear. This is obvious! 

Pairing is symmetric. This follows from ( 13.31) . Alternatively, if L is any generalized 
inverse of Q then L T is also a generalized inverse of Q (because Q is symmetric) and 
we have 

{D 2 ,D l ) = [D 2 ] r L[D 1 ] (modZ) 

= {[D 1 ) T L T [D 2 )) T (modZ) 
= [Di] T L T [D 2 ] (mod Z) 
= (Pi,D 2 ) . 

Pairing is well-defined. Let D 2 and D' 2 in Div°(G) be two different lifts of D 2 E Jac(G). 
Then they differ by a principal divisor [D' 2 ] = [D 2 ] + Q[g] for some g E M.{G). Let 
">. /V Q J\ . Then 

[D\] T L[D' 2 ] = [D X ] T L[D 2 ] + [D^LQig] 

= [D 1 ] T L[D 2 ] + ^-[f 1 ] T QLQ[g] 

= [D 1 ] T L[D 2 ] + —[f 1 ] T Q[g] 
mi 

= [D X ) T L[D 2 ] + [D.flg] . 
So [-Di] T L[.D2] — [-Di] T -^[-D2] (mod Z). By symmetry the same is true for different lifts 

of /;,. 

Pairing is non- degenerate. We should show that if D% E Div°(G) be such that 

(D!,-)=0 (modZ) 

then Di is a principal divisor. Let x = L T [Di] E Q n . If (D, ■) = (mod Z), then 
x T u E Z, for any zero-sum column vector u E Z n . Substituting — e x for u (where e» 
denotes the vector with a 1 in the i th coordinate and O's elsewhere), we get x = rl + v 
for some r E Q and vGZ" (1 denotes the all-one vector). Multiplying by Q, we have 
Qx = rQl + Q\ = Q\ or QL T \Di] = Qv. Using mi[Di] = Q[fi] and the fact that L T 
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— QL T Q[h] 
—Qih] 

mi 
[Di\. 

Therefore we have shown [Di] = Qv for some v e Z n , which means D x must be a 
principal divisor. □ 
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